Re: PulledPork 500 error

["Joel Esler (jesler)" <jesler () cisco com>]

Yeah, I’m not understanding that either.  That IP is not on our blacklist.  How often do you update the IP blacklist?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Apr 16, 2014, at 9:19 AM, Dave Corsello <snort-users () wintertreemedia com<mailto:snort-users () wintertreemedia 
com>> wrote:

Any thoughts on this?

I'm able to get pulledpork to run successfully by adding 23.23.165.79 to my whitelist.  But my concern is that 
pulledpork or my DNS has been hijacked to pull info from a server that VRT has intentionally blacklisted.  The other 
possibility is that the IP was added in error to the blacklist.

Am I the only person whose blacklist contains 23.23.165.79?  If so, then I clearly have big problems.  The fact that no 
one else is reporting pulledpork failures indicates that this might be the case, although it could also indicate that 
few open source users are using Snort inline...

On 4/15/2014 11:01 AM, Dave Corsello wrote:
Sorry again for the confusion.  23.23.165.79 is included in my default.blacklist file, which is maintained by 
pulledpork.

Pulledpork is configured to get the blacklist from labs.snort.org<http://labs.snort.org>.  Is that the way it should be 
configured?

It looks like labs.snort.org<http://labs.snort.org> is handing the request off to an Amazon server at the IP address in 
question.  Is that the way it's supposed to work?

On 4/13/2014 12:10 AM, Dave Corsello wrote:
My apologies.  I can't find the IP address in any backup of the IP blacklist.  I assumed the address must have been in 
the blacklist because of the following alerts in BASE:

        #4-(2-1375)<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%234-%282-1375%29&sort_order=time_a>     
[snort<http://www.snort.org/search/sid/136-1>] reputation: Packet is blacklisted        2014-04-11 XX:XX:XX     
XX.XX.XX.XX<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579       
23.23.165.79<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443       TCP
        #5-(2-1376)<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%235-%282-1376%29&sort_order=time_a>     
[snort<http://www.snort.org/search/sid/136-1>] reputation: Packet is blacklisted        2014-04-11 XX:XX:XX     
XX.XX.XX.XX<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:56579       
23.23.165.79<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443       TCP
        #6-(1-45791)<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%236-%281-45791%29&sort_order=time_a>   
[snort<http://www.snort.org/search/sid/136-1>] reputation: Packet is blacklisted        2014-04-11 XX:XX:XX     
XX.XX.XX.XX<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678       
23.23.165.79<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443       TCP
        #7-(1-45792)<http://base2.wintertreemedia.com/base_qry_alert.php?submit=%237-%281-45792%29&sort_order=time_a>   
[snort<http://www.snort.org/search/sid/136-1>] reputation: Packet is blacklisted        2014-04-11 XX:XX:XX     
XX.XX.XX.XX<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=10.20.60.6&netmask=32>:43678       
23.23.165.79<http://base2.wintertreemedia.com/base_stat_ipaddr.php?ip=23.23.165.79&netmask32>:443       TCP

Internal IPs and times are obscured.  It appears that neither source nor destination IPs should have been blacklisted, 
but BASE reports them as having been blacklisted by Snort.  The packets were dropped;  the times and internal IPs 
correspond to the failed pulledpork jobs.

On 4/12/2014 9:28 AM, Joel Esler (jesler) wrote:

The ip blacklist?

--
Joel Esler
Sent from my iPhone



On Apr 12, 2014, at 7:05, "Dave Corsello" <snort-users () wintertreemedia com><mailto:snort-users () wintertreemedia 
com> wrote:

The problem is that the IP address of the Amazon server from which
PulledPork pulls VRT rules was added by VRT to the default blacklist.
Any ideas why they might have done this?




On 4/11/2014 2:20 PM, waldo kitty wrote:


On 4/11/2014 10:41 AM, Dave Corsello wrote:
I got the following error in PulledPork last night:  "A 500 error
occurred, please verify that you have recently updated your root
certificates!"  I made no changes.  Any ideas what might be happening?


"root certificates" sounds like ssl certificates... heartbleed... wanna bet that
some certificates have been updated during heartbleed remediation and you now
need to update the certificates your system(s) use...


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!





------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!